Add security context template for keystone-webhook container

This implements security context override at pod level and adds
readOnly-fs to keystone-webhook container

Change-Id: Ia67947b7323e41363a5ee379c0dfb001936b5107
This commit is contained in:
KHIYANI, RAHUL (rk0850) 2020-08-11 09:45:08 -05:00
parent 10fd77b6e4
commit a58a78ff83
2 changed files with 10 additions and 6 deletions

View File

@ -37,13 +37,12 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "kubernetes-keystone-webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
containers:
- name: kubernetes-keystone-webhook
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "kubernetes_keystone_webhook" "container" "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/start.sh
readinessProbe:

View File

@ -48,9 +48,14 @@ network:
port: 30601
pod:
user:
kubernetes-keystone-webhook:
uid: 65534
security_context:
kubernetes_keystone_webhook:
pod:
runAsUser: 65534
container:
kubernetes_keystone_webhook:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
affinity:
anti:
type: